We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

The end of Safe Harbour

The recent ruling on the EU Commission’s Safe Harbour Decision by the Court of Justice of the European Union (“CJEU”) has significant implications for companies that transfer personal data to the United States or have signed up to Safe Harbour.

What was Safe Harbour?

Safe Harbour was a framework agreed between the US and the European Commission whereby personal data could (up to the date of the CJEU’s judgment) be transferred to the US.

This could be done without contravening the general prohibition under EU data protection law on the transfer of personal data outside of the European Economic Area to countries which are deemed not to provide an adequate standard of protection for personal data.

The Decision

The CJEU held that the EU Commission’s decision 2000/520/EC (the “Safe Harbour Decision”) is invalid because of the lack of protection for EU personal data in the United States. This means that companies can no longer rely on safe harbour certification in order to legalise the transfer of personal data from the EU to the US.

The CJEU also ruled that the existence of decisions such as the Safe Harbour Decision does not prevent national supervisory authorities from examining whether the transfer of personal data to a third country complies with the requirements of EU data protection law.

What now?

The Irish Data Protection Commissioner will examine the complaint by Austrian citizen, Maximillian Schrems and decide whether the transfer of personal data by Facebook Ireland to servers in the US should be suspended because the US does not provide an adequate level of protection for personal data.

What does the judgment mean for businesses?

Businesses that export personal data to a US entity that have signed up to Safe Harbour or those who have signed up to Safe Harbour must put alternative arrangements in place to legalise the transfer of personal data to the US. These steps include the use of EU Model Clauses or Binding Corporate Rules.

Statement of Article 29 Working Group – Friday 16 October 2015

The Article 29 Working Party (the “Group”) coordinates the application of data protection rules across the EU. It includes representatives from the national data protection authorities of the EU’s member states, the European data protection supervisor and the European Commission.

In a statement issued on Friday 16 October 2015, the Group stated that if no replacement for Safe Harbour is agreed with the US authorities by the end of January 2016, the EU data protection authorities would take all necessary actions which may include coordinated enforcement actions. It advised that EU data protection authorities will put in place, at national level, information campaigns to keep companies who previously relied on Safe Harbour up to date.

The Group called on the EU and the US to urgently work towards a new data transfer agreement but said that such an agreement must respect fundamental rights and be“accompanied by clear and binding mechanisms” and include obligations on “the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.

Action plan

Companies that transfer personal data to the US should immediately review their contracts to check the grounds on which they legalise the transfer of personal data to the US.

If they relied on the Safe Harbour regime, they will need to find another way to legitimate the transfer of personal data such as by using EU Model Clauses or Binding Corporate Rules. Reliance on consent of the person whose personal data is to be/was transferred is not recommended. If these options are not available, the companies might consider (in the short term) moving the personal data back to the EU and using EU based providers who store the data in the EU and do not have affiliates in the US, as an adequate level of data protection is guaranteed throughout the EU courtesy of the Data Protection Directive.

The time to act is now because if companies fail to do so and they continue to transfer personal data to the US, they run the risk of being the subject of legal action after the end of January 2016.

Compare jurisdictions: BYOD: Bring Your Own Device

”Lexology is a useful and informative tool. I keep copies of relevant articles and often forward them to colleagues. Although I do not know all of the authors/firms, by reading their articles I do gain an understanding of their appreciation of a topic, and should the need arise I would not hesitate to contact them on those topics.”